refactor: avoid containers generated by Wireguard CRD to have excessive priviledge (#190)

winston0410 · web-flow · commit ce1e2dc062d5 · 2024-07-13T00:42:02.000+02:00
* patch metric

* make agent container to have a read-only fs

* use default seccomp profile
diff --git a/pkg/controllers/wireguard_controller.go b/pkg/controllers/wireguard_controller.go
@@ -681,6 +681,13 @@ func (r *WireguardReconciler) deploymentForWireguard(m *v1alpha1.Wireguard) *app
 	ls := labelsForWireguard(m.Name)
 	replicas := int32(1)
 
+	runAsNonRoot := true
+	runAsUser := int64(65534)
+	runAsGroup := int64(65534)
+	readOnlyRootFilesystem := true
+	allowPrivilegeEscalation := false
+	automountServiceAccountToken := false
+
 	dep := &appsv1.Deployment{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      m.Name + "-dep",
@@ -697,6 +704,12 @@ func (r *WireguardReconciler) deploymentForWireguard(m *v1alpha1.Wireguard) *app
 					Labels: ls,
 				},
 				Spec: corev1.PodSpec{
+					SecurityContext: &corev1.PodSecurityContext{
+						SeccompProfile: &corev1.SeccompProfile{
+							Type: corev1.SeccompProfileType("RuntimeDefault"),
+						},
+					},
+					AutomountServiceAccountToken: &automountServiceAccountToken,
 					Volumes: []corev1.Volume{
 						{
 							Name: "socket",
@@ -718,7 +731,15 @@ func (r *WireguardReconciler) deploymentForWireguard(m *v1alpha1.Wireguard) *app
 					Containers: []corev1.Container{
 						{
 							SecurityContext: &corev1.SecurityContext{
-								Capabilities: &corev1.Capabilities{Add: []corev1.Capability{"NET_ADMIN"}},
+								RunAsUser:                &runAsUser,
+								RunAsGroup:               &runAsGroup,
+								RunAsNonRoot:             &runAsNonRoot,
+								ReadOnlyRootFilesystem:   &readOnlyRootFilesystem,
+								AllowPrivilegeEscalation: &allowPrivilegeEscalation,
+								Capabilities: &corev1.Capabilities{
+									Drop: []corev1.Capability{"ALL"},
+									Add:  []corev1.Capability{"NET_ADMIN"},
+								},
 							},
 							Image:           r.AgentImage,
 							ImagePullPolicy: r.AgentImagePullPolicy,
@@ -740,7 +761,9 @@ func (r *WireguardReconciler) deploymentForWireguard(m *v1alpha1.Wireguard) *app
 						},
 						{
 							SecurityContext: &corev1.SecurityContext{
-								Capabilities: &corev1.Capabilities{Add: []corev1.Capability{"NET_ADMIN"}},
+								ReadOnlyRootFilesystem:   &readOnlyRootFilesystem,
+								AllowPrivilegeEscalation: &allowPrivilegeEscalation,
+								Capabilities:             &corev1.Capabilities{Add: []corev1.Capability{"NET_ADMIN"}},
 							},
 							Image:           r.AgentImage,
 							ImagePullPolicy: r.AgentImagePullPolicy,
